Issues and Challenges of Secure Policy Specification Languages Sailaja Arsi 1 , Venkata N. Inukollu 1 , Joseph E. Urban 2 Computer Science Department 1 Industrial Engineering Department 2 Texas Tech University Lubbock, Texas 79409 USA {sailaja.arsi, narasimha.inukollu, joseph.urban}@ttu.edu Abstract - Security policies which describe the behavior of a system through specific rules are becoming an increasingly popular approach for static and dynamic environment applications. The SANS top 20 critical controls are a de facto standard in the software industry to protect against cyber crime. This paper shows the importance of applying the SANS critical controls to a product for producing effective results. This paper provides a policy framework, issues that a secure policy specification language faces, and challenges for secure policy specification languages. Keywords - Secure Specification Language, Policy, Policy Specification Language, Software Development Life Cycle (SDLC), SANS Critical Controls. 1 INTRODUCTION A security policy can be defined as a set of rules that specifies the specific behavior of a system [1] and includes all the constraints within. There is a need to represent the security policies in a formal/informal specification language. Software engineering is an application of engineering to software, which is indeed a significant, methodical, and disciplined approach to representation, development, performance, and maintenance of software. Security is a component of software engineering. Due to advancements in technology, secure software engineering [2] has become an important aspect/asset of software quality. In the software development life cycle [3] (SDLC), for effective software development, security as a process should be considered at the same priority as the life cycle phase’s functionalities. The idea of incorporating security into software from the beginning of development has gained acceptance. Secure software engineering is required throughout the software development life cycle. A main goal of secure software engineering is the gathering of security requirements, design, development, maintenance, verification, and validation of secure and functioning software. In secure software engineering, during the life cycle phases, from the initial phase to deployment phase, confidentiality, integrity, and availability objectives are specified. There is a need to add security in the requirements phase itself in order to reduce the time, cost, quality, and resources at the end of the deployment phase, if any problem occurs. For specifying the secure requirements, there should be a medium for writing the secure requirements in a formal specification language that is understandable by both stakeholders and developers. Designers/developers should follow the secure policy specifications for further development of the software. Risk ISBN:978-0-9891305-8-5 ©2014 SDIWC 171